74 lines
2.2 KiB
Nix
74 lines
2.2 KiB
Nix
|
{ lib, pkgs, config, ... }:
|
||
|
|
||
|
let
|
||
|
cfg = config.services.go-camo;
|
||
|
inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString;
|
||
|
in
|
||
|
{
|
||
|
options.services.go-camo = {
|
||
|
enable = mkEnableOption "go-camo service";
|
||
|
listen = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080).";
|
||
|
apply = v: optionalString (v != null) "--listen=${v}";
|
||
|
};
|
||
|
sslListen = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = "Address:Port to bind to for HTTPS.";
|
||
|
apply = v: optionalString (v != null) "--ssl-listen=${v}";
|
||
|
};
|
||
|
sslKey = mkOption {
|
||
|
type = types.nullOr types.path;
|
||
|
default = null;
|
||
|
description = "Path to TLS private key.";
|
||
|
apply = v: optionalString (v != null) "--ssl-key=${v}";
|
||
|
};
|
||
|
sslCert = mkOption {
|
||
|
type = types.nullOr types.path;
|
||
|
default = null;
|
||
|
description = "Path to TLS certificate.";
|
||
|
apply = v: optionalString (v != null) "--ssl-cert=${v}";
|
||
|
};
|
||
|
keyFile = mkOption {
|
||
|
type = types.path;
|
||
|
default = null;
|
||
|
description = ''
|
||
|
A file containing the HMAC key to use for signing URLs.
|
||
|
The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file".
|
||
|
'';
|
||
|
};
|
||
|
extraOptions = mkOption {
|
||
|
type = with types; listOf str;
|
||
|
default = [];
|
||
|
description = "Extra options passed to the go-camo command.";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
systemd.services.go-camo = {
|
||
|
description = "go-camo service";
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
after = [ "network.target" ];
|
||
|
environment = {
|
||
|
GOCAMO_HMAC_FILE = "%d/hmac";
|
||
|
};
|
||
|
script = ''
|
||
|
export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE")
|
||
|
exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))}
|
||
|
'';
|
||
|
serviceConfig = {
|
||
|
NoNewPrivileges = true;
|
||
|
ProtectSystem = "strict";
|
||
|
DynamicUser = true;
|
||
|
User = "gocamo";
|
||
|
Group = "gocamo";
|
||
|
LoadCredential = [
|
||
|
"hmac:${cfg.keyFile}"
|
||
|
];
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|